I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

the nation. While these rules are often quite dry and don't often contain controversial provisions, they are extremely important to the conduct of criminal trials and contain the procedural rules that govern not only the conduct of a trial but also the conduct of law enforcement personnel who gather evidence that may be used at trial.

The U.S. Supreme Court just took a major step regarding one of the FRCP rules -- Rule 41 -- which could expand the authority of federal law enforcement to remotely access and control users' computing devices and systems. Let's take a closer look at Rule 41, why privacy advocates oppose it and what it could mean for enterprises.

What is Rule 41?

On April 28, 2016, the U.S. Supreme Court submitted proposed amendments to the FRCP that cover a variety of changes to criminal trial procedures. One of those in particular is of great interest to information security and privacy experts. Rule 41 governs the search and seizure of evidence that may be used in a criminal proceeding. The text of the proposed rule change reads:

"A magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of (a computer crime)…the media are protected computers that have been damaged without authorization and are located in five or more districts."

On its face, the proposed language sounds like a benign attempt to ensure that federal courts have the authority to act in cases where the correct jurisdiction is unclear. Privacy advocates, however, point out that the new rules could have much more sinister applications. Rainey Reitman, activism director for the Electronic Frontier Foundation issued a statement claiming, in part, that "the change to Rule 41 isn't merely a procedural update." She claims that "it significantly expands the hacking capabilities of the United States government without any discussion or public debate by elected officials."

After all, how will law enforcement officials gain 'remote access to search' suspect computer systems without resorting to hacking tools and techniques?

It does seem fair to equate the powers being granted to federal judges by this change to hacking. After all, how will law enforcement officials gain "remote access to search" suspect computer systems without resorting to hacking tools and techniques?

Privacy advocates also point out that the first clause in this proposed change allows any magistrate judge anywhere in the country to issue a warrant in a case where the system's location has been "concealed through technological means." This clause would certainly apply to systems running Tor or other privacy software, but it also might be interpreted to any system using a VPN, proxy server or other privacy technology. This clause allows for "venue shopping" where law enforcement officials may find a friendly judge willing to issue a warrant and ask that judge to issue warrants that may then apply anywhere in the country.

The second clause seems to directly apply to botnets that include infected systems in five or more districts. The authority granted by this clause allows a federal judge to authorize law enforcement officials to surreptitiously gain access to the innocent systems that are members of the botnet. These are not the systems belonging to hackers but, in most cases, computers belonging to private individuals that have been infected by bots. Government agents would then have access to all of the information stored on that system, perhaps compounding the effects of one security compromise by causing a second incident.

What's next?

The Supreme Court does have the authority to amend the FRCP's Rule 41, but Congress does also play a role in the process. If Congress does not act, the proposed changes will take effect on December 1, 2016. However, Congress does have the seldom-used authority to reject or modify the proposed changes. The EFF and other activists are lobbying Congress to do just that. We'll have to wait and see whether Congress chooses to take action.

In the meantime, until Rule 41 is either finalized, rejected or altered, there's not much practical effect on enterprise cybersecurity. Certainly, organizations should be aware that law enforcement officials may obtain warrants that allow them to hack into enterprise systems, but the controls used to defend against those attacks are similar to the controls that organizations should already have in place to defend against any advanced persistent threat.

Join the conversation

3 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

Again we are hit with another story about the government looking for way to get information legally by the use of judges and people start screaming.For those who use methods to try an hide their identity, my question is why? What are you trying to hide that you want nobody to find out? They could just be opening themselves to lawsuits if they stay from what the warrant is issued is for. The only real thing that bothers me is the issue with the bots. If you do not know you have a bot in place and the government starts cracking into all of those computers on the network, why look at my pc or anyone elses? Granted they will get vacation pics and recipes as well as a few games. Unless someone installed something without my knowledge. Again this falls partly on the user as to they may not be running adequate security to prevent these things...

Paradox - VW and TDI engines.VWhas adisgraceanda problem withTDIengines. Combustion of dieselis a chemical process.Principles, one can notchange.Creatingsoftwareisonlyhuman work.Bugin the operating systemis the result ofpoorhuman work.Is time to change the basics of IT/ cyber security - http://www.slideshare.net/JiNapravnik/its-time-to-change-the-basics-of-ict-security